Dane testing and posttls-finger ???
john at klam.ca
Sat Apr 11 04:30:25 CEST 2015
> 1. MTAs should run their own caching resolvers, even if they forward
> to another caching resolver upstream (e.g. 22.214.171.124).
I used to run a local caching server, but ran into a problem when I
first started using DNSSEC. To make life a little easier while sorting
out the DNSSEC problems I got rid of it.
reinstated as of today.
using posttls-finger now produces expected results.
> 2. If you are doing any RBL lookups, you must not make them via an
> upstream forwarder (avoid looking up RBLs via 126.96.36.199 and friends).
A little thought and this is obvious.
> 3. If you want any security from DANE when sending outbound
> email to remote domains, you MUST use a local 127.0.0.1
> resolver that validates DNSSEC record signatures for itself.
done, but why?
> If you're not using 'smtp_tls_security_level = dane', then
> the local resolver is not essential for security, but is still
> a good idea.
More information about the dane-users